ASL IT Security frequently gets hired for code review work after other providers or internal solutions were less than completely successful. Many times, it’s because automated scanners are being overly relied upon. The simple fact is that even the best brand-named scan tools in the code-review category offer incomplete findings and identify too many false positives; which wastes everyone's time on follow-up and can erode confidence in the vulnerability management team over-all. Automated scanning, if not implemented in a disciplined process with expert manual penetration testing and other important tools, offers an incomplete code-review solution at best.
Methodically reviewing your software code for any latent security issues before release is something that just begs for an independent 3rd party who has proven expertise in deep manual pen testing. It's well known that security is often seen as a barrier to building easy-to-use software; it often adds cost; and it can slow down releases. It's also likely that your application programmers are not security experts. But even if your developers do have some security expertise and experience - that can raise a legitimate flag too. That experience may result in them unilaterally baking some well-intentioned security decisions into the code that may in fact be only one of a number of options that they could have implemented. In cases like this, it might make sense to seek out a true security expert's opinion on the developer's security design decisions before the software goes into full production. This applies equally to:
>> Software developed in house
>> Software developed for you by others under contract, or
>> Software procured from a commercial provider
We are expert at finding the security issues in application software, from design decisions to insecure coding practices. It's one of our deep core competencies in which we're heavily invested:
>> We stay cutting-edge current on the latest application security issues and exploits
>> We have the most effective lab environment and tools available
>> We have highly-disciplined/expert code analysts and pen testers who rigorously follow our proven methods and well established procedures on each and every engagement
Our code review services are primarily focused on looking for design flaws and implementation bugs.
>> Design flaws can mean poor design ideas like choosing an inappropriate source of randomness for cryptographic key generation, or a weak or non-compliant authentication solution
>> Implementation bugs are typically syntactical or semantic language constructs that lead to security vulnerabilities
Our code review will validate the security of both your application design and its underlying code as accomplished in a pre-production environment. First, an in-depth static code review (visual inspection, assessment scans, etc.) will be completed. Then, as called for, an aggressive manual pen testing process will take place to verify any suspected vulnerabilities.
Finally, based on our static code review and manual pen testing work, we might also recommend that you hire us after release to test the software in its full production environment (i.e., on the actual production server, plugged into the network, and fully enabled for its real mission). This makes sure that any platform, operating system, middleware, networking or other issues that could be exploited by an attacker - with or without login credentials – will be brought forward to your security team sooner rather than later.